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Abstract. In discrete logarithm based cryptography, a method by Pohlig and 
Hellman allows solving the discrete logarithm problem efficiently if the group 
order is known and has no large prime factors. The consequence is that such 
groups are avoided. In the past, there have been proposals for cryptography 
based on cyclic infrastructures. We will show that the Pohlig-Hellman method 
can be adapted to certain cyclic infrastructures, which similarly implies that 
certain infrastructures should not be used for cryptography. This generalizes 
a result by Miiller, Vanstone and Zuccherato for infrastructures obtained from 
hyperelliptic function fields. 

We recall the Pohlig-Hellman method, define the concept of a cyclic infras- 
tructure and briefly describe how to obtain such infrastructures from certain 
function fields of unit rank one. Then, we describe how to obtain cyclic groups 
from discrete cyclic infrastructures and how to apply the Pohlig-Hellman meth- 
od to compute absolute distances, which is in general a computationally hard 
problem for cyclic infrastructures. Moreover, we give an algorithm which al- 
lows to test whether an infrastructure satisfies certain requirements needed for 
applying the Pohlig-Hellman method, and discuss whether the Pohlig-Hellman 
method is applicable in infrastructures obtained from number fields. Finally, 
we discuss how this influences cryptography based on cyclic infrastructures. 

1. Introduction 

Since the advent of cryptographic protocols such as the Diffie-Hellman key ex- 
change protocol and ElGamal encryption, the security of many cryptographic pro- 
tocols is based on the hardness of the discrete logarithm problem: given h, an ele- 
ment of a finite cyclic group (g), find an integer n £ N such that g n = h. In 1978, 
S. C. Pohlig and M. E. Hellman [20J presented an algorithm which allows to quickly 
solve the discrete logarithm problem in a finite cyclic group if the group order \G\ 
has a known factorization into a product of relatively small primes (see Section 0] 
for more details). Since then, one prefers to use groups of (almost) prime order or 
groups whose order has at least one large prime factor for discrete logarithm based 
cryptography, to avoid this kind of attack. 

In 1990, R. Scheidler, J. A. Buchmann and H. C. Williams described a key 
exchange 123] . which was not based on cyclic groups but on a structure first 
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introduced by D. Shanks in 1972 [28], called the infrastructure of a real quadratic 
number field. This structure behaves similar to finite cyclic groups, with the main 
difference that the operation corresponding to multiplication is not associative. This 
structure was generalized from real quadratic number fields to arbitrary number 
fields of unit rank one [6], and also to real quadratic function fields [33] [30] [32] 
and more general function fields [25l 122] . Moreover, the key exchange protocol for 
infrastructures was refined |13[ 112] and extended to real quadratic function fields 
PS1 [TO] . The security of these protocols is mostly based on the fact that computing 
distances in infrastructures in general is assumed to be hard. As the problem of 
computing distances in infrastructures is related (see Section [5]) to the problem of 
computing discrete logarithms in finite cyclic groups, one has to ask the question 
whether the idea of Pohlig-Hcllman can be applied in this setting. 

In 1998, V. Muller, S. Vanstone and R. Zuccherato [18] answered this ques- 
tion positively in the case of infrastructures obtained from real quadratic function 
fields of characteristic 2. We will generalize this to obtain a positive answer for 
a more general class of infrastructures, which includes all infrastructures obtained 
from function fields. Then, we will argue why this is probably not possible for 
infrastructures obtained from number fields, at least without further input. 

In Section [2] we will define the concept of a cyclic infrastructure and show how 
such infrastructures can be obtained from certain global function fields with two 
infinite places. After that, in Section [3] we will show how to obtain cyclic groups 
from such infrastructures and how to efficiently compute in them, assuming that 
one can efficiently compute in the underlying infrastructure. In Section [4] we will 
recall how the Pohlig-Hellman method works, and in Section [5] we will show how 
Pohlig-Hellman can be applied in the case of discrete cyclic infrastructures. Then, 
in Section [6] we will describe an algorithm to test whether the main requirement 
of the Pohlig-Hellman method, namely that the group order is smooth, is satisfied. 
Finally, in Section we will discuss the number field case, and in Section [8] we 
will explain the consequences for cyclic infrastructure based cryptography. 

2. Cyclic infrastructures 

In this section, we define an abstract version of a cyclic infrastructure. This defi- 
nition, including the description of baby steps and giant steps, is based on the inter- 
pretation of Shanks' infrastructure in context of a 'circle group' by H. W. Lenstra 
|15j . even though he uses a different distance function. 

Roughly speaking, a cyclic infrastructure can be interpreted as a circle with a 
finite set of points on it. 

Definition 2.1. Let R £ ]R>o be a positive real number. A cyclic infrastruc- 
ture (X, d) of circumference R is a non-empty finite set X with an injective map d : 
X — > K/i?Z, called the distance function. 

Definition 2.2. We say that a cyclic infrastructure (X, d) of circumference R is 
discrete if R G Z and d(X) C Z/RZ. 

One can interpret finite cyclic groups as discrete cyclic infrastructures as follows: 
Let G = (g) be a finite cyclic group of order m and d : G — > Z/mZ be the discrete 
logarithm mapQ (to the base g), i.e. we have g d ^ = h for every h € (g). By 



The discrete logarithm of an element h £ (g) is sometimes, in particular in Elementary 
Number Theory, also called the index of h with respect to g. 
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interpreting Z/mZ as a subset of fi/mZ, we get that (G,d) is a discrete cyclic 
infrastructure of circumference m. 

An infrastructure has two operations, namely baby steps and giant steps. For 
their definition, we need the following notation: 

Definition 2.3. Let R e K >0 and let x, y € R/RZ. Write x = x + RZ and 
y = y + RZ with x, y € R such that x < y < x + R. Define 

[a;, y] := {t + RZ \ t e R, x<t< y}. 

If one interprets R/RZ as a circle with circumference R, and x and y as points 
on this circle, the set [x, y] can be interpreted as the points on the circle which lie 
on the arc beginning at x and ending at y. 

Now we can define baby steps and giant steps. We will exclude the case |X| = 1, 
as in this case the infrastructure is trivial and not of practical interest. 

Proposition 1. Let (X,d) be a cyclic infrastructure of circumference R. Assume 
that \X\ > 1. 

(a) Then there is a unique bijective fixed point free map bs : X — > X such that for 
every x G X , we have 

[d(x), d(bs(x))} n d(X) = {d(x), d(bs(x))}. 

This map is called baby step map. 

(b) Moreover, there is a unique map gs : X x X — > X such that for every x, y € X , 
we have 

[d{x) + d(y),d(gs(x, y))} n d(X) = {d(gs(x, y))}. 
This map is called giant step map. 

Let G = (g) be a finite cyclic group of order n > 1 and let d : G — > Z/nZ 
be the discrete logarithm map. Then, for the cyclic infrastructure (G,d), we have 
bs(h) = gh and gs(h, h') = hh' for all h, h' £ G. Applying d, this translates to 
d(bs(h)) = d(h) + 1 and d(gs(h,h')) = d(h) + d(h'). This shows that baby and 
giant steps in arbitrary infrastructures generalize the group operation of a finite 
cyclic group. 

In the case of finite cyclic groups, both baby steps and giant steps are basically 
the same operation. In arbitrary infrastructures, this is not the case, as in general 
there is no element x E X with gs(x, y) = bs(y) for all y € X . 

In general, cyclic infrastructures behave similar to cyclic groups, with the main 
difference being that the giant step operation is not necessarily associative, but 
"almost" associative in the sense that 

d(gs(x,y)) w d(x) + d(y). 

Here, for elements in R/RZ means that both sides have representatives in R 
which are relatively close to each other. 

We want to close this section by showing how to obtain discrete cyclic infrastruc- 
tures from certain global function fields. Let ¥ q be a finite field with q elements and 
K = ¥ q (x, y) a finite separable extension of ¥ q (x), x transcendental over ¥ q , such 
that ¥ q is relatively algebraically closed in K. Let O be the integral closure of ¥ q [x] 
in K, and assume that the degree valuation of ¥ q (x) has exactly two extensions 
to K\ these are the infinite places pi and p2 of K. Let : K — > Z U {oo} be the 
normalized valuation associated to pi, i = 1, 2. 



4 



FELIX FONTEIN 



Now, by Dirichlct's Unit Theorem for function fields [HI p. 299, Theorem 9.5], 
O* = (s) ®F* for some e € O* \F*; without loss of generality, let R := -v\(e) > 0. 
Assume that at least one of the infinite places has degree one0 

If a, b £ K* are two elements, then the principal fractional ideals Oa and Ob 
are equal if, and only if, r 6 0*. Therefore, if Pld(O) denotes the set of non-zero 
principal fractional ideals of 0, we have a well-defined map 

D : Pld(O) -> Z/RZ, O- h-> -v x (a) + RZ. 

a 

We say that a principal fractional ideal a € Pld(i^) is reduced if 1 e a and, for 
every a E a \ {0} with Vi(a) > 0, i = 1, 2, we must have ogF*. Denote the set of 
all reduced principal fractional ideals by Rcd(K). Now one has that d :— -Dlpted^) 
is injective0 which, in particular, shows that X := Kcd(K) is finite. Therefore, 
(X, d) is a discrete cyclic infrastructure. 

In certain cases, namely real quadratic (i.e. real hyperelliptic) function fields 
[33] [32], [TT] and for certain cubic function fields of unit rank one [25l [22] , we can 
efficiently compute baby steps, inverse baby steps and giant steps (i.e. given x, y £ 
X, we can compute bs(cc), bs~ (x) and gs(x,y)), and we can efficiently compute 
relative distance^ 

d(gs(a, b)) — d(a) — d(b) and cZ(bs(a)) — d(a) 

for all a, be Red(K). 

One further fundamental property of these infrastructures is that computation of 
d is hard, i.e. given x G X, it is hard to compute the absolute distance d(x) except 
for a few special values of x. Moreover, R itself does not need to be known. This 
allows to do cryptography in infrastructures, as for doing cryptography, one must be 
able to efficiently compute certain objects (here: baby steps, giant steps and relative 
distances), while inverse computations (here: computing absolute distances) must 
be hard. 

3. Obtaining cyclic groups from discrete cyclic infrastructures 

Our aim is to embed a cyclic infrastructure into a one-dimensional torus and to 
describe arithmetic on the torus using the arithmetic of the infrastructure, i.e. by 
using giant and baby steps. More precisely, we embed the infrastructure into WL/RZ 
or Z/RZ by adding the missing elements that are not in the infrastructure. One 
way to describe these missing elements are /-representations. 

In the number field case, another embedding and representation has been first 
described by H. W. Lenstra in |I5j : a more general and more modern approach can 
be found in [27] . 

2 If one drops this assumption, one cannot show that one has 'enough' reduced ideals, which 
makes computation of baby and giant steps problematic. One has to use another definition of 
reduced ideals, and define an equivalence relation on the set of all reduced ideals to make d 
injective. 

3 Let 0\,0\ G Red(_ft') with ui(a) = ui(b) + kR, k G Z. As 0\ = and vx{ae~ h ) = 

v\(b), we assume k = without loss of generality. Now — G and ) = 0. If H2(— ) > 0, 
then we must have - G F* as O- is reduced, whence O- = 0\. If vii-) < 0, we have iVt) > 0, 

a Q a ' a b v a 71 v b ! ' 

ui(^) = and | G 0\, contradicting that f G F* as 0\ is reduced. 

From now on, we will interpret these relative distances as real numbers instead of elements of 
W/HZ, by identifying them with their smallest non-negative representative, i.e. we identify a + RL 
with a if < a < R. 
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Let (X, d) be a cyclic infrastructure of circumference R. 

Definition 3.1. An f -representation is a pair (x, /), where x £ X and / € [0,R[ 
such that [d(x), d(x) + f] n d(X) = {d(x)}. Denote the set of /-representations by 
KopM.Y.,/;. 

If (X, d) is discrete, define the subset 

RepLcretcPM) : = {(»,/) G W | / G Z}. 

Note that infrastructures obtained from function fields, as described in Section^ 
are discrete. One can also obtain infrastructures from number fields of unit rank one 
by a very similar method (for details, see [6]), but these are never discrete (see 
Section [7} . 

Definition 3.2. Define the (absolute) distance of a pair (x,f) G X x M by 

d(x,/) := d(x)+fe R/RZ. 
Then we have the following proposition: 
Proposition 2. The map 

d\ Rep f {x>d) :Rep f (X,d)^R/RZ, (x, f) ~ d(x, /) = d(x) + / 

gives a bijection between the set of f -representations and R/RZ,. If [X, d) is dis- 
crete, this restricts to a bijection 

d \ne P f die ^(X4) ■ Re Pd iscrc tc(^) - Z / RZ - 

Remark 1. If (x, /) G X x M is arbitrary, there exists a unique /-representation 
(x', /') such that d(x, f) = d(x', /'). More precisely, it is the /-representation (x', /') 
with d(x, f) = d{x' , /') such that /' > is minimal. 

If | /| is small, (x',/') can be computed efficiently using baby steps by starting 
with (x, /) and minimizing /: 

(1) While / is negative, replace (x, /) by (bs _1 (x),/ + A), where A := d{x) — 
d(bs _1 (x)) G [0,R[. 

(2) Compute x" := bs(x) and A' := d(x") - d{x) G [0, R[. 

(3) If A' > /, then (x, /) is an /-representation and we are done. 

(4) Otherwise, replace (x, /) by (x", / — A') and continue with step (2). 

One quickly sees that all operations do not modify the distance d(x,f). In case 
(X, d) is discrete, one needs at most |/| (inverse) baby step computations. 

Using this remark, we get the following proposition: 

Proposition 3. If (x, /) and (x',/') are f -representations, consider the tuple 

(gs(x, x')J + f- (d(gs(x, x 1 )) - d(x) - d(x'))). 

By the previous remark, it corresponds to a unique f -representation (x", /"). If we 
define 

(xJ)o(x'J') := (x"J'% 
we get that (Rep-^(X, d), o) is a group and 

d\n cp f {X A) ■■ (Rep f (X,d),o) -» (R/J2Z.+) 
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is a group isomorphism. If (X,d) is discrete, we get that (Repd iscrctc (A, d), o) is a 
subgroup of Rep^ (X, d) and that 

<W di _ te (X,,i) 1 ( Re Pdi S crctc(^^):°) "> (Z/*Z,+) 

is a group isomorphism. The relationships between these structures are described 
in the following diagram: 

XxR i Rcpf(X,d) i Rep£ iscrcte (X,d) 



d ' R °Pdi 3 c r c t o( X - d » 



R/i?Z^^=IR/i?Z 3 Z/i?Z 

Therefore, if we are able to effectively compute bs, bs" 1 and gs and relative 
distances for an infrastructure (X, d) , we can efficiently compute in a group iso- 
morphic to M./RZ or Z/iZZ, even if i? is unknown and without the need to evaluate 
the function d for general elements of X. More precisely: 

Corollary 1. Let (X,d) be an infrastructure such that bs ; bs -1 and gs are effi- 
ciently computable, together with the relative distances. Let d mln := min{d(bs(x)) — 
d(x) | x f= X} and d max := max{d(bs(x)) — d{x) \ x £ X}. Then one group 
operation in Rep-^ (X, d) can be computed using one gs computation and at most 
|" 2d max "| computations of bs or at most |~ ^ max "| computations o/bs _1 . 

Proof. Given (x,f),(x',f) S Rery(X,/), one first computes (x",f") by x" := 
gs(x,x') and /" := /+/'+(d(x)+d(x')-d(x")); then d(x" , f") = d(x, f) + d{x' ,/'). 
As, by definition of the giant step function, — d max < d(x) + d(cc') — d(x") < 0, we 
have -d max < /" < 2d max . When replacing (x",/") by (bs(x"),/" - (d(bs(x")) - 
d(x"))) resp. (bs" 1 ^"),/" + (d(as") - ^bs^x" )))), we have that /" decreases 
resp. increases at least by d m in- Hence, we can do at most [ 2 ^ max "| baby steps resp. 
[^ ajSl ] inverse baby steps before /" gets negative resp. positive. □ 

If (X, d) is a discrete infrastructure, d m i n > 1. If (X, d) is obtained from a 
function field as described at the end of Section [2l it is an easy application of the 

Riemann-Roch Theorem [3l p. 28, Theorem 1.5. 15] to see that d max < g +^| 32 . 

This also shows that one should order pi and p2 such that degpi > degp2- Note 
that this result is also valid if degp^ > I for both i. 

Remark 2. In case we want to compute in Repf(X, d) (which is, for example, 
necessary if (X, d) is not discrete), we need to work with (arbitrary) real numbers. 
As this is not possible on computers, one needs to approximate them using floating 
point numbers. More details on this can be found in [^j and [13]; there, such 
representations are called CRIAD-representations resp. (/^-representations. 

Finally, we want to note that in the case of real hyperelliptic function fields, a 
similar representation has been used by S. Paulus and H.-G. Ruck in [TH] to describe 
the arithmetic in the Jacobian. This, together with the discussion in [TT], shows 
that in this case, our group Z/i?Z is in fact the subgroup of the Jacobian which 
is generated by the divisor class of pi — p2- This is also true for non- hyperelliptic 
function fields under the assumption that degpi = degp2 = I. 
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4. POHLIG-HELLMAN IN GROUPS 

Before explaining how to do Pohlig-Hellman in discrete infrastructures in Sec- 
tion [5l we want to recall the Pohlig-Hellman method for finite cyclic groups. 

Assume that we have a finite cyclic group G = (g) of order m and an element h € 
G. We can consider the discrete logarithm problem, which states that one wants to 
find some n € N with 

g n = h. 

Note that n is unique modulo m. Assume that the prime factorization 



m = 

i=l 

with distinct primes pi, . . . 7 pt and positive integers ei, . . . , €E N>o is known. To 
compute ?i, note that by the Chinese Remainder Theorem, 

G Z/raZ Z/pf Z x • • ■ x Z/pfZ. 

Therefore, we can compute n modulo p?* for every i and deploy the Chinese Re- 
mainder Theorem to recover n modulo m. 

To compute nmodj)-', we successively compute nmodpf, £ — 1, . . . , e^, by con- 
sidering the discrete logarithm problem 

UWp*J =h m/p *, 

where nmodpf is sought. As we assume that we already know nmodp- -1 , we only 
have to solve the discrete logarithm problem 



(1) ^m /K y 



fa 7n /Pi g~ m /Pi ' (wmodpj 



where n' € {0, . . . ,Pi — 1}, to obtain 

nmodpi = (nmodp; ) + n p i 

Assuming that we are using a method for solving discrete logarithms for elements 
of prime order p which needs O(^fp) group operations (according to [29], this is 
optimal if one assumes that G behaves like a generic group), the running time of 
Pohlig-Hellman is 
t 

maxl-y/p^, logm} J = 0(t max a maxjy^, logm}) 



i=l 

group operations. 

5. Pohlig-Hellman in discrete infrastructures 

Assume that (X, d) is a discrete infrastructure of circumference flgZ. We have 
seen that this gives rise to a finite set RePdi scro t c (^'' d) °f ^ elements, which can be 
equipped with the structure of a cyclic group. In the following, we will write this 
group additively, i.e. the group operation will be + and instead of exponentiation, 
we will use scalar multiplication. 

We further assume that R together with an element (x, f) S Repj iscrctc (-X', d) is 
known where d{x, /) = d(x) + f is known and smallQ Using baby steps and inverse 



^We call an element r £ RARZ small if we can write r = r + KL with r small. 



8 



FELIX FONTEIN 



baby steps, we can compute an /-representation (x', /') with d{x' , /') = 1 from this 
(compare Remark[T]). Then we have R- e Pdi S crctc(^' ^) = 

In the group (Rep^. rete (-X", d), +) we can consider the discrete logarithm problem 

n-(x',f) = (x",f"), 

where (x",f") G R- e Pdiscrctc(^' ^) anc ^ n e Z. In particular, as d(x',f) = 1, we 
have that d(x", /") = n + RZ, whence solving the discrete logarithm problem for 
an element in X is equivalent to computing a distance of an element in X . 

As we can effectively compute the group operation in R.ep^ iscroto (X, d), we can 
employ any algorithm for computing discrete logarithms in groups to find n and, 
in particular, as we know the group order, we can employ the Pohlig-Hellman 
algorithm. 

Assume that the prime factorization 

R = f[pf 

with distinct primes p%, . . . ,p t and positive integers e%, . . . , € N>o is known. We 
have seen in Section|3]that in order to find n, we need to solve the discrete logarithm 
problems 



(2) 



l ' ' (I ' {x ' ,f) ) = 7- ' {x " ,n ~ ( nmod ^" 1 ) ' (pi ■ {x ' J,) ) 



for n' for i = 1, . . . ,t and £ = 1, . . . , e^; this is Equation ([T]) transcribed to our 
setting. Note that we know that the order of • (x' , /') divides p\, whence we have 

that — ^ • (x', /') = (pf — 1) • • (x', /'). In particular, there is no need to compute 
inverses, if one rewrites Equation @ as 

n' ■ (- ■ (x',f>)) = 4 • (*",/") + (nmodpt 1 ) • (pj - 1) • (4 • • 

\Pi J Pi \Pi J 

As in Section [4] we get that the running time of Pohlig-Hellman is 

t 

&i max{y^, logi?}^ = 0(t max^ ei maxj^/pi, logi?}) 
i=i ~~ 

group operations in Rep^, iscrctc (X, ef). 
Remarks 1. 

(a) The Pohlig-Hellman method can be parallelized: for computing n modp,' , there 
is no knowledge required of nmodj)^ 3 for any j ^ i. This reduces the running 
time to 

0( max a maxj-v/pi", logi?}) 

2=1,. ..,t 

group operations in RePd iscrctc (X, d) when using t processors. 

(b) Note that it suffices to know an integer multiple R' of the circumference R and 
the factorization 

i=l 

with t' > t. In this case, we have e 4 > e 4 for each i < t. If one applies 
Pohlig-Hellman with R 1 instead of R, i.e. by replacing the a's by the ej's, 
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the algorithm will return the same value of n, as for £ > e,, the solution of 
Equation (|2|) will be n' = 0. The only disadvantage is that the running time 
will increase to 

0{t' max is, ma.x{y/p^, logi?}) 

group operations. 

An alternative is to first try to find the e^'s from the ei's. For that, one 
computes |=- • (x 1 , /') for each i; if this equals the identity in Rep discretc (X, d), 

we have Si > e^. In that case, we can decrease Si by one, i.e. replace R' by j^-, 
and try again. 

(c) One can also deploy the Pohlig-Hellman method if d(x' , /') ^ 1. In case no n' 
is found for one instance of Equation |2]), we have (x" , /") ^ ((x', /')). 

If we have d(x' , f')^=l, it is enough to know an integer multiple of gcd ^ R ) , 
where I S Z is any integer with £ + i?Z = d(x' , /'), as gcd ^ fi ) is the order of 
(*',/') mRep^ screte (X,d). 



6. Testing for smooth circumference 

With respect to the result from last section, it is desirable to check whether a 
given discrete cyclic infrastructure (X, d) with circumference R satisfies that R is 
B-smooth, i.e. that all prime divisors of R are < B, for some integer B £ N. In 
practice, in particular when using a discrete cyclic infrastructure for cryptographic 
reasons, it can happen that R is not known. In this section, we present an algorithm 
which still allows to check whether R is B-smooth. (Also see the discussion following 
Question 1 in Section[51 where the smoothness of the regulator of a randomly chosen 
function field is discussed.) 

For this, we make the following requirements: 

(1) we know some (x, /) € R-ep^ iscrctc (A, d) with d(x, f) = 1; 

(2) we know an upper bound R' for R; 

(3) for every (x' , /') £ R- e Pdiscrctc 'O' we can efficiently check whether d(x' , /') = 
0, i.e. whether (x' , /') is the identity in Rep discrete (X, d). 

For discrete cyclic infrastructures obtained from unit rank one function fields as 
described in Section [2] these requirements are always satisfied. Assume that K is 
such a function field with full field of constants F 9 and genus g. Then we have that: 

(1) either (x, /) = (0, 1) or (x, /) = (bs(O), 0) is an /-representation with d(x, /) = 

i; 

(2) an explicit upper bound for R can be given using Hasse-Weil, as shown below; 
and 

(3) d(x', /') = if, and only if, x' = O and /' = 0. 

Both (1) and (3) follow from the fact that d(0) = and from the definition of f- 
representations. For (2), let d = gcd(degpi, degp 2 ) and D := dc ^ p2 pi - dc ^ pi p 2 e 
Div(-fT). Then, for n = \Pic^ q (K)\, the divisor nD is principal. Now, by Hasse- 
Weil, n < (1 + ^/q) 2g pH p. 287, Corollary 6.3 and Remark 6.4]. As nD ^ must 
be the divisor of a non-constant unit e of O, we obtain 



*<Me)|<^(l + v ^. 
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Note that this bound is rather crude; for example, for real quadratic function fields 
of Richaud-Degert type, the regulator is very small. 
Our method is formulated in the following lemma: 

Lemma 6.1. Let p±, . . . ,p t be all primes < B, and define 

* I log ft' I 

nL i°spi J 
Pi 

i=l 

where R' satisfies R' > R. Then R is B-smooth if, and only if, d(m ■ (x, /)) = 0. 

Proof. Firstly, note that R is S-smooth if, and only if, R | ra, as R < R' . Secondly, 
the cyclic group R-ePdi Scro to(^' 'O ^ s generated by (x,f) and has order R, whence 
m • (x, f) is the identity (i.e. has distance 0) if, and only if, m is an integer multiple 
of R. □ 

Note that our method is very similar to the computations done in J. Pollard's 
(p - l)-method [HI p. 93, Algorithm 3.14] or in H. W. Lenstra's Elliptic Curve 
Method for Factorization [14] , 

Remark 3. To evaluate m ■ (x, /), one can proceed iteratively, as it is usually done 
in Pollard's (p — l)-method and in Lenstra's Elliptic Curve Method: 
Define (x ,/o) := (x, /) and 



(xi,fi) :=p ] [ lo&Pij {xi-iJi-i), l<i<t. 

Then m ■ (x,f) = (x t ,f t )- To compute {x l ,f i ) from (xi-i,fi-i), one does |_T^ff-J 
consecutive multiplications of (xi-i, /i-i) by pi. 

Therefore, to compute m • (x, f) using this method, one needs 



(4KJ 10 ^) =0(t\ogR>) 



group operations in Rep^ (X, d) , assuming a square-and-multiply technique is used 
for multiplication by pi. 

In the case of infrastructures obtained from function fields, we get: 

Corollary 2. If(X,d) is a discrete infrastructure of circumference R obtained from 
a function field (as in Section^ of genus g with full field of constants F q , then one 
needs at most 0(tg logq) giant step and 0(tg 2 logg) baby step computations to check 
whether R is p t -smooth, where pt is the t-th prime number. 

7. Pohlig-Hellman and infrastructures based on number fields 

In the case that K is a number field of unit rank one, i.e. with two places at 
infinity, one can construct a cyclic infrastructure basically the same way as for 
function fields with two places at infinity. This is, for example, described in [6]. In 
the number field case, O is the integral closure of Z in K, and F* is replaced by 
the roots of unity in K. The places at infinity correspond to the (non-conjugate) 
embeddings K — > C; if the two embeddings are o~x and 02, the condition that 
deg o~i = 1 for one i corresponds to cri(K) C R. Moreover, the valuations Vi are 
defined by Vi(x) := — log |o-j(x)|, x E K* . Let (X, d) be the resulting infrastructure. 

Note that if a € K*, then |ui(a)| is algebraic over Q and, hence, i^(a) is tran- 
scendental over Q by Lindcmann's Theorem if Vi(a) ^ 0. Therefore, in particular, 
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neither R nor any element of d(X), except 0, is a rational number, whence (X, d) 
is far from being discrete. 

Let x G O \ {0}. We want to investigate when G Q happens. If R = v\{e) 
for e G C*, we have that = E with p, q G Z \ {0} implies |cri(a;Ve p )| = 1- By 
[31 p. 285, (8)], we must have \<72{x q / e p )\ = 1. Now, if is reduced, this implies 
that |p is a root of unity, i.e. is equal to ±1, i.e. we have that x q = ±e p . But then, 
we have 

N K/Q {x)* = N K/Q (x«) = N K/q (±eP) = ±1, 



whence our assumption x £ O implies that x £ O* . This is the main ingredient of 
the following result: 

Proposition 4. If a £ Red(A), then (a, 0) has finite order in Rep-^(A", d) if, and 
only if, a = O. 

Proof. If a = O, then (a, 0) is the identity of Rep* (X, d). For the other direction, 
write a = 0\ with x G O. As d : Repf(X,d) -> R/RZ, (b,/) h-> + / = 
-vx(x)+f+RZ is an isomorphism, (a, 0) having finite order means that r^si e Q. 
By the discussion before the lemma, this implies x £ O* , whence a = = O. □ 

As the Pohlig-Hellman method (or any other of the standard discrete logarithm 
problem solvers) requires an element of finite order (of which an integer multiple has 
to be known in the case of the Pohlig-Hellman method) , we cannot directly apply 
the Pohlig-Hellman method to (a, 0) G Repf(X,d), but have to find a positive real 
number / G R and an /-representation (b, /') G Rep^(A, d) with d(a) + f = d(b)+f 
such that (b, /') has finite order in Rep^(A, d). 

This of course opens the question how to find such an /, if one does not already 
know d(a) and R. Obviously, if one knows d(a) in advance, there is no need to apply 
the Pohlig-Hellman method to compute d(a). Hence, one has to find / without this 
information, or one has to adjust the Pohlig-Hellman method to circumvent this 
problem. 

Finally, as Lenstra used a different distance function in the case that K is a 
real quadratic number field [15j . we want to investigate whether with his distance 
function, a Pohlig-Hellman variant is possible. Let A" be a real quadratic number 
field and let a be the unique non-trivial automorphism of K. Assume that O- G 
Red(A). 

Instead of using the distance —v 1 (x)+RZ, Lenstra uses ^(^(x) — v\{x)) + RZ = 

U 2 (X)-U 1 (X) _ p n . -„„. 1oT , + - <Tl(g*) _ Cnjx") _ 



RZ. Then, ^ x >^ x > = JL e Q j s equivalent to — — — 



ai(x) 
02{x) 

±CTi(e _p ) for p, q G Z, q ^ 0. Now a(x q ) — ±x q e~ p means that if p is a finite 
place of K, then qv v (x) — qv a (p){ x )- But this means that G O*, which implies 
£ -p/q e O*. Since O* = (-1,e>, it follows that | G Z. Without loss of generality, 
assume q = 1, i.e. we have ^(^-^fo) — E, Hence, t/2 ( z )~' yi ( :r ) _|_ cail attain at 
most the values + RZ and -j + RZ in B./RZ, whence by [THl P- 15, Section 10] 
there are at most two /-representations (0^,0) G Rep^(A, d) of finite order, and 
the possible orders are one or two. 

By this argumentation, we have the same problems implementing Pohlig-Hellman 
using this distance function as in the case of the other distance function. 
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8. Conclusion 

There exist several cryptosystems employing discrete cyclic infrastructures; for 
examples of such, see [3J [251 HS1 E31 H21 HH] • They are all based on the hardness 
of computing distances: if (X,d) is a cyclic infrastructure, these systems require 
that it is hard to compute d{x) for a general ieX. Note that this is equivalent to 
computing d(x, 0) for (x,0) £ Rep^(X, rf). 

Now assume that (X, d) is discrete with circumference R, and that an integer 
multiple R' of R is known. Moreover, assume that R' is smooth, i.e. that R' 
factors with relatively small prime factors. If baby, inverse baby and giant steps 
and relative distances can be computed efficiently, we can use the Pohlig-Hellman 
method described in Section [5] to compute d(x,0) relatively fast. 

Hence, in order for cryptosystems which are based on the hardness of computing 
absolute distances in discrete cyclic infrastructures to be safe, one has to use discrete 
infrastructures such that 

(a) either it is very hard to compute a multiple R' of R which can be factorized, 

(b) or R is not smooth, i.e. has at least one very large prime factor. 

In (a), it may even be enough that only a part of R' can be factorized, if this 
part is still a multiple of R: assume that R' factors as R1R2, where R\ is smooth, 
i.e. has small prime factors, but R2 has only very large prime factors. Then it still 
might be that Ri is not needed for computing d(x): one computes R\ ■ [0, 1), and 
if it equals (O, 0), one can take i?i instead of R. If one knows that R is smooth, R 
will be a divisor of R\ and we will have R\ ■ (0, 1) = (O,0). 

To avoid the possibility that the Pohlig-Hellman method can be used, one has 
to use function fields whose regulator is not B-smooth for a "large enough" B. A 
naive way to find such function fields is to randomly pick a function field (with 
two places at infinity, one of them of degree one) and to apply the algorithm from 
Section [5] to check whether the regulator is i?-smooth; this procedure is repeated 
until a sufficient curve is found. 

This leads to several important questions: 

(1) How smooth is the regulator of an average function field with two places at 
infinity, one of them of degree one? 

In [26j Section 6.1], R. Scheidler, A. Stein and H. C. Williams apply the heuristic 
arguments of H. Cohen and H. W. Lenstra to real hyperelliptic function fields. They 
reason that the odd part of the ideal class group Pic(O) of O in the real hyperelliptic 
function field case is small with high probability. As R ■ |Pic(C)| = | Picjj^ (K) | , 
and |PiCy (K)\ G [(^/q - l) 29 ,(^fq + l) 2ff ], this shows that R is large with high 
probability. More importantly, the smoothness of R is more or less equivalent to 
the smoothness of | Picp^ (-ftT) | under the assumption of these heuristics. 

An equivalent to the Cohen-Lenstra heuristics for quadratic number fields is the 
heuristics by E. Friedman and L. C. Washington [5] for quadratic function fields. 
The main difference to the number field case is that for function fields, these have 
been proven (in a slightly modified version) by J. D. Achter [T] in certain cases. In 
our case, an older result by J. D. Achter and J. Holden [2] already gives sufficient 
information. Let i be a prime which is coprime to q. Then, by [2j Lemma 3.3], 
the proportion of real hyperelliptic function fields K of genus g over ¥ q for which 
e\\Pi4 q (K)\ is 1-^ + 0(1/^) if i ee 1 (mod q) and 1 - ^ +C(l/£ 3 ) if 1^1 
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(mod q) . This is slightly less than the probability that a random natural number in 
the interval [(y/q—1) 29 , (^/q+l) 2g ] is not divisible by i, which is approximately l—j- 

Therefore, one expects that R is B-smooth with a slightly higher probability than 
that a random natural number in the interval {{yfq — l) 2s , (v / 9+ l) 2ff ] i s ^-smooth, 
which is rather low for B <C q 9 ■ 

A more straightforward approach to the problem of finding function fields whose 
regulator is not B-smooth would be to ask the following question: 

(2) Can one efficiently construct function fields with two places at infinity, one of 
them of degree one, such that the regulator is known to have a very large prime 
factor? 

More generally, one can also ask the following question: 

(3) Given an arbitrary positive integer R, can one efficiently construct a function 
field with two places at infinity, one of them of degree one, which has regula- 
tor R, or R ■ I with i e N small? 

In the case of real elliptic function fields, this is basically equivalent to finding an 
elliptic curve together with a rational point of order R, as it is explained in [31] : if 
E is an elliptic curve over ¥ q with the point 00 at infinity, and if P G E(¥ q ) \ {00}, 
one can transform the equation of E such that one obtains a function field with two 
places at infinity, which correspond to the two points P and 00 of E. Moreover, 
the regulator of this new function field is exactly the order of P, and the reduced 
principal ideals correspond to the multiples of P. For hyperelliptic function fields, 
one has a similar correspondence; see |19j . 

Currently, elliptic or hyperelliptic curves (or, more precisely, their imaginary 
function field counterparts K) with a specific number of points (i.e. elements in 
Picp (If)) are usually constructed using complex multiplication, or by choosing 
curves from very special families of curves (see, for example, [?])■ It is currently 
not known whether there are special attacks for these classes of curves. 

A final question arises from the fact that there are also proposals for cyclic 
infrastructure based cryptography for infrastructures obtained from number fields 
(for examples, see [23j Q21 [12] ). In the previous section, we have seen that the 
Pohlig-Hcllman method cannot be applied in the number field case in its current 
state. Therefore, one can ask the following: 

(4) Can a similar method be applied to cyclic infrastructures obtained from number 
fields, or generally to non-discrete cyclic infrastructures? 

So far, the author is not aware of any idea of whether this question can be answered 
positively. 
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